This release consists only of a security update. In previous releases, the SAML and Keycloak authentication backends did not protect against session fixation. If an attacker can deploy a malicious application in ShinyProxy or an attacker has control over web applications hosted on the same domain (or subdomain) of the ShinyProxy server, such an attacker was able to fix the session id of a user and ultimately hijack the session of a user. This requires the victim to either open the malicious app or webpage. Updating to ShinyProxy 2.5.1 or 2.6.0 is advised when using the Keycloak or SAML backend. Other authentication backends (e.g. OpenID Connect, LDAP) are not vulnerable. Therefore, it is possible to switch to
another authentication backend as a workaround.
-
Security Fix: enable session fixation protection when using SAML authentication
-
Security Fix: enable session fixation protection when using Keycloak authentication
Note: the documentation of the Keycloak library advices to not employ session fixation protection, since this breaks "universal logout". However, since this is a non-standard extension of the OIDC protocol, we prefer the security benefits of this protection over the "universal logout" feature.